forked from jonscafe/whaley
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
144 lines (110 loc) · 4.8 KB
/
Copy path.env.example
File metadata and controls
144 lines (110 loc) · 4.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# Server Configuration
HOST=0.0.0.0
PORT=8000
DEBUG=false
# Authentication Mode: "ctfd" or "none"
AUTH_MODE=none
# CTFd Configuration (only needed if AUTH_MODE=ctfd)
CTFD_URL=https://your-ctfd-instance.com
CTFD_API_KEY=your_admin_api_key
# Admin Dashboard Configuration
# Generate a strong random key: openssl rand -hex 32
ADMIN_KEY=your_secret_admin_key_here
# Prometheus scrape authentication for /metrics endpoint
# Prometheus must send this secret as Bearer token.
METRICS_SECRET=your_metrics_secret_here
# Discord notifications (optional)
# Leave empty to disable webhook notifications
DISCORD_WEBHOOK_URL=
# Instance Settings
MAX_INSTANCES_PER_USER=3
MAX_INSTANCES_PER_TEAM=5
INSTANCE_TIMEOUT=3600
# Port Range for Challenge backend bindings on VM2
# These ports are consumed by Traefik services, not exposed directly to players.
PORT_RANGE_START=30000
PORT_RANGE_END=40000
# Challenges Directory
CHALLENGES_DIR=/challenges
# Public host for instance access
# Set to "auto" for automatic IP detection, or specify your VPS IP/domain
PUBLIC_HOST=auto
# =============================================================================
# Database Configuration
# =============================================================================
# PostgreSQL (default)
DATABASE_URL=postgresql+asyncpg://whaley:whaley@postgres:5432/whaley
POSTGRES_USER=whaley
POSTGRES_PASSWORD=whaley
POSTGRES_DB=whaley
# SQLite (fallback for single-server development without PostgreSQL)
# DATABASE_URL=sqlite+aiosqlite:///./data/whaley.db
# Data directory (forensics, event logs, etc.)
DATA_DIR=/app/data
# =============================================================================
# Redis Configuration (Required for multi-worker deployments)
# =============================================================================
# Redis URL for distributed locking
# Leave empty to use local asyncio locks (single worker only)
REDIS_URL=redis://redis:6379/0
# =============================================================================
# Traefik Redis KV Provider (Dynamic Routers/Services)
# =============================================================================
# Enable dynamic Traefik routing through shared Redis KV
TRAEFIK_REDIS_ENABLED=true
# Shared Redis used by Traefik provider (falls back to REDIS_URL when empty)
TRAEFIK_REDIS_URL=redis://redis:6379/0
# Domain pattern for per-instance routing: <instanceId>.<TRAEFIK_BASE_DOMAIN>
TRAEFIK_BASE_DOMAIN=ctf.example
# Hostname/IP that Traefik can use to reach this VM's backend-bound ports
TRAEFIK_BACKEND_HOST=challenges-vm
# Extra /etc/hosts entries for the instancer container (e.g., Traefik host resolution)
EXTRA_HOST_NAME=main-vm
EXTRA_HOST_IP=10.0.0.2
# Traefik entrypoint names (must exist in Traefik static config)
TRAEFIK_HTTP_ENTRYPOINT=websecure
TRAEFIK_TCP_ENTRYPOINT=tcp-challenges
# Public fixed TCP port exposed by Traefik for SNI routing
TRAEFIK_TCP_EXTERNAL_PORT=5443
# TLS option names from Traefik global tls.yml/static config
TRAEFIK_HTTP_TLS_OPTIONS=default
TRAEFIK_TCP_TLS_OPTIONS=default
# Permanent key bootstrap
TRAEFIK_BLOCK_ALL_ADDRESS=127.0.0.1:9
# Optional comma-separated Traefik dashboard users for basic auth middleware
TRAEFIK_DASHBOARD_USERS=
# Optional YAML file or JSON payload containing additional permanent keys
TRAEFIK_PERMANENT_KEYS_FILE=
TRAEFIK_PERMANENT_KEYS_JSON=
# =============================================================================
# Network Isolation
# =============================================================================
# Create isolated Docker network per instance (recommended)
NETWORK_ISOLATION_ENABLED=true
# Disable inter-container communication within instance network
NETWORK_ICC_DISABLED=true
# Prefix for instance network names
NETWORK_PREFIX=whaley
# =============================================================================
# Dynamic Flags
# =============================================================================
# Enable per-user unique flags - each user gets different flag per challenge
# Requires AUTH_MODE=ctfd and valid CTFD_API_KEY with admin permissions
DYNAMIC_FLAGS_ENABLED=false
# Prefix for generated flags (e.g., FLAG{random_hex} or CTF{random_hex})
FLAG_PREFIX=FLAG
# =============================================================================
# Instance Forensics (Docker Log Capture)
# =============================================================================
# Auto-capture logs when instances terminate
FORENSICS_AUTO_CAPTURE=false
# Maximum log size per instance (MB)
FORENSICS_MAX_SIZE_MB=5
# Maximum lines to capture per container
FORENSICS_TAIL_LINES=1000
# Auto-delete logs older than this (hours)
FORENSICS_RETENTION_HOURS=168
# Compress logs with gzip
FORENSICS_COMPRESSION=true
# Admin Dashboard Path (randomized for security through obscurity)
ADMIN_PATH=admin-560db506a9a6b70f